0

The title summarises it all but here's an example:

You're sharing some hardware equipment with your dev colleagues, some days everything works well with it, the next day, nothing works anymore, can't even get yum to play nice, etc. And it's not clear as to what changed since last time.

What I'm looking for is a software, or Linux framework that does system-wide auditing in order to:

  • who was logged in and when
  • which files have been modified during that session
  • what exactly as changed within those files, like diff does

So far, I've seen packages like audit and acct address the first 2 points but don't seem to provide any detailed info about what has changed, the third point.

As you don't want to necessarily monitor the whole filesystem, restricting to the configuration dir /etc would be a great start ; keeping track of changes a bit like diff does. This way it would be easy to find out what config change causes system wide issues. Any ideas?

fduff
  • 725
  • 1
  • 8
  • 17

1 Answers1

3

I recommend OSSEC, and or (mentioned by Schroeder) Tripwire. However, I also recommend principle of least privileges. If you have your developers all using escalated privileges to do their work, I emphasize placing them in groups, and using sudo. For added measures, I'd add timestamps to bash history files where applicable. This will enable you to track what commands occurred at what time (if users don't erase their history but that too can be addressed)

munkeyoto
  • 8,682
  • 16
  • 31
  • Thanks for pointing out OSSEC, it looks interesting. Yeah I meant monitoring mainly config files for changes, and if some modifications are made, at least have a way to see what has changed. – fduff Jun 20 '16 at 20:40